We have a "web site" project created many years ago. Currently the "web site" project is maintained in VS2019. We use .NET 4.7.2.
The web site resides in our production server, say in the folder d:mywebsite
Our network team used to have antivirus set to whitelist the entire D: drive. Now they are looking into narrowing down to designated folders.
My question is, which executable runs when the web site runs? I only see a lot of DLLs in the bin
subfolder (and a few .exe
files, but they don’t seem relevant e.g. csc.exe
, VBCSCompiler.exe
).
Is there another folder (in the C: drive perhaps) that is being executed when a user access the web site and runs a web form? What executable exactly? What is the location?
As a reference, for some desktop Winforms apps, when I compile, an .exe
is generated.
Even for web applications I wrote in ASP.NET Core, you can see there is the app executable created.
2
Answers
For .NET Framework, which is everything in the 4.x series and earlier, the executable is almost always
w3wp.exe
, usually inC:WindowsSystem32inetsrv
, and it runs as part of the IIS web server.This file is not just your web site. It’s a shared host for any .NET code running on that web server, meaning adding this to an allowlist can still be a much broader exemption than desired.
Starting with .NET Core, this is much less likely to remain true, and it’s more common for web sites to build as their own separate application. But you can still host .NET Core sites with IIS, and that remains common in places with shared legacy infrastructure.
Your web site may further load additional *.dll or other binary files, but exactly what that looks like depends on how the project/solution is built. At very least, examine your
D:mywebsitebin
folder and look at the .dll files there.But if it were me, I would NOT use an allowlist for my site at all. When (not "if", because everyone makes mistakes) we eventually push out a flaw in our code, if someone manages to take advantage in a way that lets them use or mimic malware on my server, I want to know about it as quickly possible. By it’s nature, any web site is an attack surface, and to the degree possible I want my attack surfaces monitored.
That is, I believe it’s a mistake to blindly trust your own code.
Instead, I like my Test/QA/Staging environments to have the same antivirus protection as production and then ensure everything is well-tested and gets a good work-out before going to production, so I’m confident normal operation does not trigger detections in the first place. If my code is triggering detections, I want to refactor that code until this no longer happens.
There have been times where a 3rd party component would cause detections at load, and we’ve had to exempt the dll for that library. There have also been times where we’ve retired the component, and either found a replacement, built the feature ourselves, updated the app to avoid the need, or even done without — because this really is that important.
Sorry, I think I was not clear. If the antivirus (Defender, ASR etc) does not whitelist designated executables (e.g. myApp.exe) or folders, then the application will be prevented to run (e.g. "access denied" error). We have had a lot of problems with this in the past. Therefore they must whitelist designated executables or folders to prevent these errors. My question was just specific to the executable running for web apps (for our set up, definitely IIS w3wp.exe, and even for .Net Core were also using IIS).